The Edge Mesh: serverless print resilience and security

A cloud-native solution for print management is trickier than common SaaS cloud offerings like Google Workspace etc. 

Due to the nature of printing requiring a physical printer/MFD, there will always be an element of on-premise infrastructure. Due to this anchoring to hardware, historically, many fully-hosted (multi-tenant SaaS) cloud solutions for print have been slow, had a bad UX, and introduced security concerns. 

PaperCut wanted to level-up cloud printing to meet the needs and expectations of organizations today. We borrowed the best-of-breed IoT practises and performed a line-one rewrite of our codebase to build a public cloud print management platform that provides secure, fast, and reliable printing. 

The golden goose of print in the cloud

A fully-hosted (multi-tenant SaaS) solution that delivers the best of on-premise and cloud technology: that’s the new ground the print world has been trying to cover. 

Self-hosted (single-tenant) solutions are tried and tested. In fact, we’ve been doing that for years with PaperCut MF. But fully-hosted (multi-tenant Saas) options for printing, they’re trickier because the printer itself means some on-prem hardware is always involved.

The golden goose of print management in the cloud is a solution that provides the best of cloud and local infrastructure. 

Rather… It was the golden goose. It now exists, and it’s called Edge Mesh.

Edge Mesh is the code base for PaperCut Hive and PaperCut Pocket.It solves the existing problems of cloud printing and reimagines local infrastructure by leveraging your network’s existing devices as redundant components of a collective print server.

“Edge Mesh is a computing paradigm that uses a mesh network of edge devices (edge nodes) and routers to enable distributed decision-making within the network.”

Fully-hosted cloud and on-premise: the best of both worlds unlocked

FeaturesLocal infrastructure printingPublic Cloud printingEdge Mesh
Offline functionality
Near-zero latency
High security
Documents stay local
Direct management
High availability
Cost effective
Easy administration
Off-premise print submission

The history of Edge Mesh

The catch with outsourcing printing to a service provider in the cloud is that the printer can’t send a job directly to the printer. For all cloud print solutions, software has to exist somewhere on the network to allow coordination between the cloud and the printer. The software can either sit on the printer, on a computer, or on a dedicated device.

The challenge with printers and clouds is you can’t get around the hardware. Another industry that had a similar problem was IoT. We looked at the best practises of modern IoT systems like Apple Home lighting and Zigbee and we gravitated towards two complementary approaches - Edge computing and Mesh networks.

Leveraging the computing power of devices such as laptops and desktops on the Edge (closer to where devices are located) sidesteps dependency on the cloud (a data center possibly thousands of miles away) for computing resources.  Then coordinating the edge devices together to form a self-healing Mesh increases reliability and built-in redundancy.

We learned from IoT practises that the road to the best of both cloud and on-prem worlds for print was to use the devices already on site (that is, not buying additional hardware like a print server or an MFD) to coordinate printing in a self-healing manner, and leverage the cloud as an extension for configuring print management, not to drive core functionality.

PaperCut Software drew on our 20+ years experience in print management and embarked on a line-one code rewrite of our software to design the Edge Mesh: the beating heart behind our fully-hosted (multi-tenant SaaS) cloud-native solutions, PaperCut Hive and PaperCut Pocket.

How does the Edge Mesh work?

Edge Mesh printing process diagram

Users’ laptops and PCs that have PaperCut Hive and PaperCut Pocket installed form the Edge Mesh. These devices (edge nodes) securely communicate with each other to form an intelligent mesh that replicates the role of a print server. 

When users submit a print job to the queue, the cloud determines which edge nodes are online to process the print job. The cloud selects an edge node to receive and replicate the job’s attributes to other edge nodes (2 by default) for redundancy. 

In the Edge Mesh, the nodes do the processing and the cloud service is the administrator. There’s a bonus; if the internet is down and the cloud is unavailable, the Edge Mesh will continue to work.

The Edge Mesh consists of the following edge nodes:

  • Standard Node - a device (for example, a laptop or PC) with an active role in enabling printing.
  • Super Node - a highly reliable and constantly accessible device with a prioritized role perfect for large print jobs.
  • Passive Node - a demoted node that can still print but isn’t always available to contribute an active role.
  • Cloud Node - an optional node in the cloud to support off-network or cloud printing.

You can read more about edge nodes in our manual.

Self-healing network

Self-healing Edge Mesh network

The self-healing nature of the Edge Mesh delivers high availability printing with scalable printing power. 

Adding a new device to the network is like adding a server. As your organization grows, the Edge Mesh strengthens. The more devices in your network, the more edge nodes in your Edge Mesh to process print jobs, the stronger your Edge Mesh. 

Goodbye hardware failover! If one edge node fails or can’t be reached, another node steps in to take its place. The more nodes you have, the more robust the system, the higher its availability. 

The Edge Mesh applies this same high availability technique to its processing. All print jobs are triple-protected from a single node failure. When a document is submitted, it’s sent (fully encrypted) to 3 separate nodes. This built-in job redundancy maintains print efficiency for the entire network.

Thanks to the self-healing network providing continuous delivery, your network administrators don’t need to schedule downtime for manual updates. Individual edge nodes independently communicate with the cloud provider and automatically patch themselves.

Find out more about how PaperCut Hive and PaperCut Pocket work.

Shift-left security

Edge Mesh's shift-left security

The Edge Mesh is built from the ground up to the most secure industry standards.

The code base development used a shift-left approach, meaning before a single line of code was written, security was at the forefront of the product engineering process.

As a result, the Edge Mesh is purpose-built for a higher level of security than commonly found in traditional print environments.

The historical concern with print management and the cloud is the question of data’s safety while traversing the internet. The Edge Mesh removes this concern. With your edge nodes handling the role of a print server, the content of your print jobs never has to leave your network. Your documents aren’t even handled by anybody outside of your organization.

Outsiders can’t plug into the Edge Mesh because it doesn’t rely on a physical connection or protection by a single password. The cloud governs access and actively challenges new devices to verify their access.  

When it comes to the data itself, it’s all encrypted and secured at rest and in motion. At rest, your data is protected with a 3-part encryption, made up of three keys needed for decryption. In motion your data is secured via HTTPS.

The only time your print documents travel to the cloud is when using the optional Cloud Node for remote printing. When not using Cloud Node, all that is sent to the cloud is the job’s attributes (job details: no. of pages, user, doc. title). This is encrypted with secure HTTPS protocols (similar to online banking). 

Throughout this process edge nodes are constantly authenticated and validated. This  “always verify” principle is baked into every step of printing. 

Find out more about print security practises.

Always verify

Edge Mesh's always verify principles

Following shift-left principles, when it comes to authentication and validation the Edge Mesh’s default is Always Verify. Whether inside or outside the network, no component, user, or device is trusted by default. 

Authentication and validation are required at all times:

  • Authentication - Confirms the user’s/device’s identity
  • Validation - Ensures the user/device is allowed network access

All print jobs are securely transmitted into the Edge Mesh via HTTPS and authenticated at every step:

Step 1 - Is this user allowed to print?

Step 2 - Is this job allowed from this user?

Step 3 - Is this user allowed to print to this printer?

As we know, print jobs are sent to a minimum of three edge nodes for redundancy. After these nodes analyze the job’s attributes, the Edge Mesh encrypts the data with a 3-part key provided by the cloud. This 3-part key is then immediately discarded by the Edge Mesh.

For an edge node to unencrypt any data and process the job, it needs to contact the cloud, authenticate again, get the 3-part key again, and unlock the file.

These “always verify” principles guard against all access-based compromises. Data in the Edge Mesh is protected at every point because protection is built into its functionality.

Find out more about “always verify” principles for PaperCut Pocket and PaperCut Hive.

The future of cloud and print

The Edge Mesh delivers print management with fully-hosted (multi-tenant SaaS) functionality and on-premise security and resilience.

Most importantly, the Edge Mesh opens up the powers of print management to businesses and organisations that was previously only available at the enterprise level:

By reimagining the print server with Edge computing and Mesh networking, Edge Mesh technology removes the barrier of entry for small to medium-sized businesses.

With the Edge Mesh, our cloud-native print solutions, PaperCut Hive and PaperCut Pocket, redefine the realms of print management for businesses of all shapes and sizes.

Want to know more?

Check out these links: